b'                     UNCLASSTFIED\n\n    United States Department of State \n\nand the Broadcasting Board of Governors \n\n       Office of I nspector General \n\n\n\n\n\n           Office of Audits\n\n\n   Review of the Information Security\n   Program at the Department of State\n                (FISMA)\n\n\n    Report Number AUDIIT-08-36, October 2008\n\n\n\n\n                                     Important Notice\n Thi s re port is in tended so lely for the o ffi cial use o f the Department o f State or\n any agency receiving the report directly fro m the Offi ce of Inspector General .\n No secondary di stributio n may be made o utside the Department o f State or by\n oth er agencies or organizations in who le o r in part, w ithout pri or authori zati on\n by the Inspector General. Plib lic availability o rthe doc ument will be determ ined\n by the Inspector General under the U.S . Code 5 U.S.C. 552. Improper\n disclosure of this report may result in criminal, civil, or admini strative penalti es.\n\n\n\n\n                    UNCLASSiFIED\n\x0c                                                                     Unjtcd Sta tes Depar1m ent of Stat e\n                                                                    and the Broadc.:J.sting Board of Governors\n\n                                                                     Office of Inspector General\n\n\n\n\n                                                    PREFACE\n\n\n       This report was prepared by !hot Office of Inspector General (OIG) pursuant to the\n  Inspector General Act of 1978, as ame nded, Section 209 afthe Foreign Service Act of 1980,\n  the Arms Control and Disarmament ..<\\.m.endme nts Act of 1987, and the Department of State and\n  Related Agencies Appropriations .\'\\(;t. FY 1996. It is one of a series of audit, inspection,\n  investigative, and special reports prepared by OlG periodically as part of its o....ersight\n  responsibility with respect to r.he Depanmem of State and the Broadcasting Board of Governers\n  to identify and prevent fraud. waste, abuse.\xe2\x80\xa2 and mismanagement.\n\n       This report is the result of an assessment of the Strenb\'lP.s and weaknesses oftbe office, pes-..,\n  or function under review. It is based on interviews with employees and officials of relevant\n  agencies and institutions. direct observation, and a review of applicable documents .\n\n        The recommetlciations therein have\xc2\xb7 be~ n developed on the basis of me best knowledge\n   available to the OIG, and have be~:1 discussed in draft with those responsible fo r\n   implementation. It is my hope that these recommendations will result in more effective,\n   efficient, and/or economical operations.\n\n        I express my appreciatioo        (\'0   ail of those who contributed to the preparation ofdUs report.\n\n\n\n\n                                                      I jllccA.:~~t-\n                                                       Mark W. Ducia\n                                                       Assistant Inspector General for Audirs\n\n\n\n\n.\\ddress ;:orrellpondence 00:   U.S. Dep:l. rtl)l.O!!U o( State, Office of   [~o r   Ge neui, WashiDgtoD, O.c. 20522-0308\n\x0c                            TABLE OF CONTENTS \n\n\n\n\nEXECUTIVE SUMMA RY ............ .... . .......... ............ .. ................................ 2 \n\n\nBAC KGROUND .............................................................................................. 3 \n\n\nSCOPE AN D METHODOLOGy ............ ... ......... ......................................... 4 \n\n\nRESULTS ........................ ...... ..................... ..... .................. .. ............... 5 \n\n     Inventory Managclncnt .. ............................. .. ..... ..... . ......... ... ..... .. ... .. 5 \n\n     Plan or Act ion and Mi lestones Process......... ...... .. .......... .\xe2\x80\xa2............ .......... 8 \n\n     Certification and Accreditation .. . .................. .\xe2\x80\xa2..................... . ...... ....... 12 \n\n     Privacy ...................... ....................... ... .\xe2\x80\xa2 .......... \xe2\x80\xa2. ........................ 18 \n\n     Configuration Management. ........................................... ................... 20 \n\n     Incident Reporting.................. . ...................................... , . ........ _..... 21 \n\n     Security Awareness Training, Pccr-to-Pecr Fil e Sharing.... .. ... " ....... .. ........ 23 \n\n\nRECOMMEN DAT IONS .. ... ... ...... ......... ............ .. .. . ... ... .......................... 25 \n\n\nAPP ENDIX A - Department Response . . ...... .. ......... ... , ........ ............ ............. 27 \n\n\x0c    EXECUTIVE SUMMAR Y\n\n            In response to the annual requirements of the Federal Information Security\n    Management Act of 2002 (F ISMA), l the Office of Inspector General (O IG) performed an\n    independent evaluation of the information security program at the Department of State\n    (Department). OIG reviewed the Department\'s progress in addressing information\n    management and information sec urity program requirements per FISMA and other\n    statutory requirements, including Office ofManagemen Land Budget (OM B) guidance.\n    The OIG team assessed performance in various areas, including inventory, plan of action\n    and milestones (POA&M), certification and accreditation (C&A), security planning,\n    co ntingency planning, risk management, incident response, security awareness and\n    training, configuration management, and privacy requ irements .\n\n        Since last ycar, the Department has taken several steps to improve management\ncontrols, including conducting a comprehensive data ca ll of all of its domestic bureaus\nand overseas posts in an effort to accurately identify its FISMA reportable inventory.\nTh e Department improved its POA&M process by developing databases to manage the\nPOA&M process and posting a toolkit on its webs ite to assist system owners with the\nPOA&M process for those systems that require C&A. The Department\' s C&A process\nand quality also improved since OIG \' s review last year. The Department also has made\nprogress in addressing its privacy responsibilities. The Department documented its\nagency-wide requirements for configuration management within policy established by the\nBureaus of Diplomatic Secu rity (DS) and Information Resource Management (IRM).\nFurther, the Department implemented several new initiatives in FV 2008 to improve its\nincident reporting services and analyses. Finally, the Departmen t began addressing the\nawareness training requirement for non-system employees-an issue previously reported\nbyOIG.\n\n       While improvements have been made, O IG identified controls needing further\nenhancements. Specifically. the Chief Information Officer (CIO) should ensure that:\n       \xe2\x80\xa2 \t annual inventory data call activities are rescheduled to allow sufficient time to\n           complete the analysis of pending items prior to the annual FISMA review;\n       \xe2\x80\xa2 \t system owners are provided with improved gu idance for properly identifying\n           contractor-owned or operated systems and how to report them fo r systems\n           inventory purposes;\n       \xe2\x80\xa2 \t national security systems arc properly class ified and accounted for by IRM and\n           DS in their respective FISMA inventories;\n       \xe2\x80\xa2 \t a method is developed and made available to systems owners for providing timely\n           and complete updates to POA&M data ;\n       \xe2\x80\xa2 \t system connection agreement controls between Department system owners and\n           external connection system owners are developed and tested to serve as a\n           compensating control for systems security plan testing;\n\n\nI   44 U.s.C. \xc2\xa7 3545 ct seq.\n\n\n\n                                                                                               2\n\x0c    \xe2\x80\xa2 \t critical contro ls are identified and tested annually;\n    \xe2\x80\xa2 \t tbe policy on conti ngency planning is updated to include a requirements that test\n        results are incorporated into an updated contingency plan;\n    \xe2\x80\xa2 \t guidance is provided to systems owners for ensuring adequate docume ntation and\n        incorporation of test results into the POA&M process;\n    \xe2\x80\xa2 \t a process is developed and documented for identifying and describing \n\n        interconnectivity between contractor systems and the Department; \n\n    \xe2\x80\xa2 \t Interconnection Security Agreements and Memoranda of\n        Agreement/Understanding are developed and maintained for contractor-owned\n        and/or operated syste ms; and\n    \xe2\x80\xa2 \t a process is established to monitor and validate security awareness training\n        provided to those individuals without access to Department networks.\n\nBACKG IWUND\n\n        Section 3545 of FISMA directs each agency to conduct an annual independent\nevaluation of its infonnation securi ty program and practices. FISMA provides a\ncomprehensive framework for establishing and ensuring the effectiveness of\nmanagement, operational , and technical controls over information technology (IT) that\nsupports federal ope rati ons and assets, and it provides a mechan ism for improved\noversight of federal agency infonnation secu rity programs. OMB Memorandum M-08\xc2\xad\n21,2 issued on July 14,2008, contained gu idance to assist OIGs on reporting FISMA\npcrfonnance metrics.\n\n        Section 3544(b) of FISMA requires that agencies develop, document, and\nimplement an agency-wide information sccurity program. As part of that program,\nsection 3544(b)(6) requ ires that the CIO devel op a process for planning, implementing,\nevaluating, and documenting remedia l action to address any dcficiencies in the\ninformation security policies, procedures, and practices of the agency. OMB\nMemorandum M-04-25,J dated August 23, 2004, discusses the POA&M requirements for\nfederal agencies. which include identifying tasks that need to be accomplished, resources\nrequired to accompl ish the elements of the POA&M , milestones to meet the task, and\nscheduled milestonc completion dates. The memorandum includcs a spreadsheet to be\nused as a model to develop POA&M s, including details such as identified weaknesses.\npoint of contact, resources required, scheduled comp letion date, milestones with\ncompletion date, chan ges in milestones, identification of weaknesses, and status.\nNational Institute of Standards and Technology (N IST) SP 800-53 4 lists the security\ncontrols that system owners should implement for their systems, depcnding on\n\n\n= Office of Management and Budget Memorandum M-08-2 [. FY 1008 Reporting Instructiol/s/or the \n\nFetierallnformlltion Secllrity Management Act and Agency Pril\'lIcy Management, July 14. 200S. \n\nl Office of Management and Budget Memorandum M-04-25. Memorandum/or /-leads ofErccutive \n\n\nJ)eparlmelll alld Agellcies. Augusl23, 2004. \n\n4NIST SP SOO\xc2\xb753, Recommended SecurityColllro/sfor Federa/lnformation Syslems. December 2006. \n\n\n\n                                                                                                  3\n\x0capplicability to the system. The annual C&A process required by N IST SP 800-37 5\nidentifies security control weaknesses requiring remediation .\n\nSCOPE AND           M~:THOI)OLOGY\n\n\n         The O IG team consisted of staff with the OIG Office of Audi ts and the audit\nservices finn of Regis & Associates, PC. References to the work conducted for this\nevaluation by OIG refer to this team. To perform the FISMA eva luation, O IG researched\n federal laws, regulations, and guidance to identify relevant criteria for implementing and\nmanaging information security programs. To identify prior issues and to foll ow up on\npast recommendations, OIG also reviewed previolls reports on evaluations of the\n Department\'s informati on security and privacy programs. OIG reviewed documents\nprovided by Department offic ials regarding systems inventory, C&A, POA&Ms, standard\noperating procedures, process guides, and training. OIG\'s analysis was based on\n information and documentation for the period ending the third quarter ofFY 2008 to\nallow sufficient time for analysis and verification by the team. The Department is\nreporting its inventory numbers based on the fourth quarter of FY 2008. DIG\njudgmentally selected a subset of21 of 182 high and moderate-impact leve l systems.\nThe Department\'s inventory comprised 357 systems. O IG selected its subset sample\nfrom the high- and moderate-impact level systems, cons isting of 38 and 144 systems\nrespectively, for a total of 182. With this subset of2 1 systems, O IG performed an in\xc2\xad\ndepth review of the Department\'s management controls over its information systems\ninventory, contingency plans and annualtcsting, C&A, POA&M , privacy, and\nconfiguration management processes.\n\n        O IG met with omcials in OS, IRM, and the Bureau of Admini stration (A Bureau)\nto discuss roles and responsibi lities for implementin g and managing infonnation security\nprograms for Department networks. OIG met with OS and IRM officia ls regarding\nC&A, configunnion management, the POA&M process, and security awareness training.\nIn addition , OIG met with o fficials in the A Bureau regarding privacy policy and the\nprotection of personally identifiab le infonnation CP II ). The team also sent a\nquestionnaire and contacted bureau system owners for the 21 sa mple systems to obtain\ninformation pertaining to their respective information systems conceming the lifecycle of\nsystems. OIG discussed, with officials from OMB. expectations for govenunent-wide\ncompliance with redcral Desktop Core Configuration (rDCC) requi rements.\n\n       The resu lts of OIG\'s review arc discussed below and in the attached reporting\ntemplate. OIG\'s Office of Audits conducted its fieldwork for this review from\nJune 19,2008, to August 29, 2008. A draft of this report was provided to officials in the\nA, IRM , and OS bureaus for their management review and comment, and the comments\nwere considered and incorporated into this final report as appropriate.\n\n        In its Octobe r 2, 2008, fonnal respo nse, Department officials concurred with all\nof the recommendations made by OIG in thi s report (see Appendix A). Based on the\n\nS   NIST SP 800-37, Gllide/or Ihe Security Certificatioll and Accreditation ofFederal 111formati011 Systems,\nMay 2004.\n\n\n                                                                                                               4\n\x0ccorrecti ve actions underway and planned, DIG considers all of the recommendations\nresolved, pending final action. Comments or questions about the report may be directed\nto Karen Bell , Deputy Assistant Inspector General for Audits, at bellk(@,state.gov or by\ntelephone at 70 3~2 84~26 04 .\n\nRES ULTS\n\nInventory Management\n\n         The Department has put significa nt effort into producing a re liable and accurate\ninventory under the guidel ines of FISMA. For FYs 2007 and 2008 , the Depnrtmcnt has\nconducted n comprehensive data call to all of its domestic bureaus and overseas posts in\nan effort to iden ti fy all information systems and related assets. The Department\'s\nmethodology to detenninc its total number o f systems reportab le for FlSMA includes a\ncombination or Federal Information Process ing Standards (FI PS) Publi cati on 199 and the\nDepartment of State Guidelines on Definitions Related to Federal Information Systems. 6\nThe Department\'s system inventory reported fo r FISMA is based on its in format ion as of\nthe fo urth quarter o f FY 2008. DIG perfo rmed its analysis of the inventory process and\nreportable systems based on th ird quarter FV 2008 information because of report\ndead lines.\n\n       Improve men ts have been made in ach iev ing a complete systems inventory, but\nmore enhancements arc needed to ensure that all appl icab le systems and assets are\nproperly identi fi ed as or associated with reportable systems.\n\nlmpro\'l-\'em ellts Af lute\n\n         According to Department offi cia ls, the in ve ntory process includes an annual data\ncall to ident ify, qualify, and quantify all informat ion systems in use at each bureau and\noverseas post. The process is intended to identify the universe of information systems\nand IT assets such as networks (general s upport systems), applications, and websi tes.\nUs ing the results o f the data call , IRM\'s Office o f Information Assurance (IRM/ IA)\npopulates two primary databases: the IT Asset Base line (lTAB) and the FISMA\nInventory Database. ITAB stores the universe of the Department\'s IT assets inventory\nand is used to track and report the IT assets managed by the Department. The FISMA\nIn ventory Database stores information on identifi ed major informati on systems that arc\nFISMA reportable. IRMIIA analyzes the data in the ITA B database with the asset owner\nin order to identify the major information systems that should be reported in the in ventory\nas those evaluated for FISMA compliance and inputs additi ona l information in to the\nFISMA In ventory D\'ltabasc.\n\n\n6 FIPs Publication 199, Standards/or Security Categori=atioll 0/Federal Ill/ ormatioll "lid Ill/ormatioll\nSystems, February 2004. The IJep(lrlmenl o/State Guidelines on Defillitions Related to Federal\nIll/ormalioll Syslems. May 2007. The overriding standard is Section G ofOMB Circular A-130,\nManag~ll1enl   of Federal Information Resources.\n\n\n\n                                                                                                            5\n\x0c        Per the Department\'s inventory pol icy7 in effect at the time ofO IG\'s review, the\nFISMA reportable inventory cons ists of major information systems in accordance with\nFIPS Publication 199 and includes agency systems, co ntractor systems, and websites.\nMinor app lications and subsystems are aligned with rel ated networks based on business\nfunctions. Further, the Department determi nes inclusion of an information system in its\ninven tory by analyzing it in terms of its cost and security risk. In any f iven year, a\nsystem is considered high cost ifit is a general support system (GSS); a maj or\nacquisition per OMB Exhibit 300 9 subm ission; a subsystem within a major acquisition;\nor has labor costs more than $500,000; 10 or total costs of more than $2 million. Based on\nthe Department\'s methodology, each major information system included in the inven tory\nmust also be categorized by its security risk ofhigh-, moderate-, or low- impact level, and\nmeet the cost criteria of high. Except for low impact-low cost systems, all other types are\nconsidered by the Department to be major information systems and are included in the\nFISMA inventory of systems . Systems not categorized by security risk are referred to as\n"non-categorized." There were none ident ified by the Department in the inventory for\nFY 2008.\n\n        Based on OIG \'s review of the Department \'s inventory process as of the end of the\nthird quarter of FY 2008, the rationale and methodology fo r identify ing the FISMA \xc2\xad\nreportable inventory appears reasonable . However, OIG noted that the Department\'s\ntotal number of systems may be incomplete because it had not completed its analysis of\nIT items identified as "pending." Because the data call captures all types of IT assets,\nOIG believes that it is reasonab le to expect that not all pending items will be classified as\nsystems .\n\nImprovements Needed\n\n          IRM/ IA\'s FISMA Inventory Database is updated from the annual data call and\nrefreshed/updated quarterly. According to IRM/IA officials, the FY 2008 data call,\ninitiated in April 2008, requested compre hensive IT systems and asset information . As of\nAugust 2008, lRM/IA was still analyzing the data prov ided by domestic and overseas\ninformation management perso nnel. "Pending" items represent agency-owned IT assets\ncaptured from the data call in the ITAB database that have not been analyzed sufficiently\nfor IRM/IA to make a decision on whether these ite ms shou ld be included in the FISMA\nInventory Database. Because the data ca ll captures all types of IT assets, O IG be lieves\nthat it is reasonable to expect that not all pend ing items wi I] be classified as systems.\n\n\n7 FIPS Publication 199, Standards for Security Categori=ation ofFederal Information alld Information\n\n/))\'stems, February 2004. the Department ofState Guidelines on Definitions Related to Federal\nInforma/ion Systems, May 2007.\n8 A general support system is an interconnected set of information resources under the same direct\nmanagement control that share common functionality . It nomlally includes hardware, software,\ninformation, data, applications, communications, and people. Sources: NIST SP 800-53 and OMS Circu lar\nA-l30, Appendix III.\n9 OMS Exhibit 300 refers to Capital Asset Plan and Business Case Summary.\n10 Subsequent to the initiation ofOIO \'s review, the Department updated its definitions policy in July 2008\n10 change the $500.000 labor cost threshold 10 mOTC than four full-time equivalent CITE) IT staff for any\ngIven year.\n\n\n                                                                                                         6\n\x0cIRMIIA is not expected to complete its analysis of the pending items until the end of FY\n2008. OIG notes that as oftbe preparation of this report, the Department had 355 items\nlisted as "pending." As a result, the Department\' s agency-owned FISMA reportable\ninventory for 2008 is based upon the major information systems identified in the database\nas of the end of the third quarter, rather than for the entire fiscal year, and the inventory\nmay not be complete . IRM/ IA has not been able to complete its analysis oftbe pending\nitems list because of competing priorities for staff to address both the data call responses\nand the FISM A review and reporting mi lestones. The Chief Information Secu rity Officer\n(C ISO) stated that IRM /IA may adjust its data call time period so that all eva luati on and\nverification can be completed prior to the next FISMA review .\n\n         During its evaluation, OIG subm itted a questionnaire to the owners oftbe 21\nse lected systems to obtain information on their overall system inventories, which\nrevealed that five contractor-owned and operated systems had not been included in the\nITAB database and that IRM/ IA had not been notified of the existence of these systems.\nSpecifically, the Global Financ ial Management System interfaces with the following\ncontractor-owned systems: Citibank, Carl son-Wagon lit ITS/GTS, American Express\nITS /GTS, US Bank!PowcrTrack, and Carlson-Wagonlit eTraveL These systems had not\nbeen reported as inventory by the Bureau of Resource Management (RM), the business\nunit for these fu nctions. Therefore, O IG initially concluded that these five contractor\nsystems should have been included in the Department\'s reportable inventory to ensure\ncontractor oversight. When these omissions were discussed with IRMIIA officials, they\nresponded that according to follow-up they subsequently conducted with the business\nunit, four of the five systems shou ld be considered "corporate systems" and therefore are\nnot subject to FISMA compliance or included in the inventory as contractor systems\nbased on OMB reporting instructions. However, OIG did not separately verify with the\nsystem owner that these systems arc corporate systems. The fifth system, Carlson\xc2\xad\nWagonlit eTravel, was determined by IRMIIA to already be in the FISMA inventory\nunder the name "E2Solutions E-Gov Travel Service."\n\n         Per OMB requirements, all National Security Systems (NSS) are to be included in\nthe Department\' s reportable inventory. NSS arc information systems used or operated by\nan agency, by a contractor of an agency, or by another organization on behalf of an\nagency, which invo lves inte lli gence activities, crypto logic activities, command and\ncontrol of military forces, eq uipment that is an integral part ofa weapon or weapons\nsystem, or military or intelligence missions. OIG noted that the Department had\nidentified approx imately 30 NSS maj or information systems in its FISMA inventory.\nHowever, by reviewing IRM \' s Systems In tegrity Divi sion website- which handles\ncryptologic services-the OIG determined that three items identified as "systems" were\nnot listed in either the !TAB or the FISMA Inventory Database or identified by IRMIIA\nas an NSS. As a result, O IG initially believed that the Department was not fully\nevaluating or reporting a comp lete systems inventory, to include interfaces and\ncomponents of larger systems, for FI SMA comp li ance.\n\n       In a meeting with IRMIJA and DS officials about this NSS discrepancy, OIG was\ninformed that these three systems are currently considered to be media devices\n\n\n\n                                                                                           7\n\x0c(hardware) used for processing manually derived infonnation, and should not have been\nidentified as systems on the IRM website. In addition, these three media devices are in\nthe process of being converted to electronic devices and will be combined under one\nsystem known as "Co mmunications Security (COMSEC)," which will be ineluded in the\nFY 2009 Intelligence Community FISMA inventory that DS maintains and which is\nscparate from the FISMA inventory that IRMflA maintai ns. During this clarification\ndiscussion, 010 observed the need for enhanced coordination and communication within\nthe Department with regard to the proper identification and classification ofNSS and\nintelligence systems inventories.\n\n       The data call efforts are a commendable and productive initiative by the\nDepartment to reach out to all system owners to obtain comprehensive systems\ninformation. However, conducting the annual data call earlier in the fisca l year may\nenable the Department to complete its analysis earlier and include relevant assets in the\nFISMA evaluation and reporting period. This may also permit IRM/ IA to use ITAB\nmore effectively as an interim repos itory for data analysis prior to inclusion in the\nDepartment\'s FISMA Inventory Database.\n\nRecommend ation I: The Chief Information Officer should reschedule annual inventory\ndata call activities to allow sufficient time to complete the analysis of pending items prior\nto the annual FISMA review.\n\nReco m mendation 2: The Chief Information Officer should ensure that system owners\nare provided with improved guidance for properly ident ifying co ntractor-owned or\noperated systems and how to report them for systems inventory purposes.\n\nRecomme ndation 3 : The Chief Information Officer should ensure that national security\nsystems arc properly classified and accounted for by the Bureaus of Information\nResources Management and Diplomatic Secu rity in their respective Federal Information\nSecurity Management Act inventories.\n\nPla n of Actio n a nd Milestones Process\n\nImprovem elJts /tI1{lde\n\n        Agencies sho uld use the POA&M process as a management tool for identifying\nand tracking remedial actions. The POA&M process is designed to resolve IT security\ncontrol weaknesses with prioritization to ensure vu lnerab ilities are addressed in a timely\nand cost-effective manner. An elTcctive POA&M process ensures that security control\nweaknesses do not result in the unauthorized access, use, disrupt ion, disclosure,\nmodification, or destruction of information.\n\n       The Department exercised a focused effort and has markedly improved its\nPOA&M process s ince last year\'s FISMA review, specifically in the areas of\nincorporating and prioritizing known IT security weaknesses; incorporating 010\nlindings; and centra lly tracking, maintaining, and rev iewing POA&M activ iti es on a\n\n\n\n                                                                                               8\n\x0cregular basis. As a result, OIG has increased the status of five of six performance\nelements for this fiscal year based on results of information as of the end of the third\nquarter ofFY 2008. O IG reviewed information on the bu reau-level and Department\xc2\xad\nwide databases that IRMIIA had developed to centralize and track POA&M actions. As a\nresult, based on an evaluation of the 21 selected systems, O IG coneluded that that the\nDepartment\'s POA&M process incorporated over 95 percent of all known security\ncontrol weaknesses agency-wide. O IG found only one system in its samp le that did not\nincorporate action items resulting From the C&A testing phase into the POA&M . OIG\nalso found that IRM/ IA regu larly tracked, maintained, and reviewed the POA&M action\nitems; however, it did not always rece ive timely and updated POA&M information from\nthe system owners throughout the year.\n\n        As one of the sign ificant improvements made, IRMIIA developed bureau-level\nand Department POA&M databases hOLlsed on IRM/ IA servers for each system owner to\nuse to manage its POA&M progress. IRMIIA also developed a toolkit on its website to\nassist system owners with the POA&M process for those systems that require C&A. The\ntoolkit conta ins background infonnation, requirements, and frequently asked questio ns so\nthat system owne rs can document and track POA&Ms in a consistent manner. The\nwebsite contains presentations and information designed to educate system owners on\nhow to use the POA&M database. IRMIIA also provides wo rkshops for system owners\nto better understand how to use the POA&M database tool.\n\n        POA&M action items resu lt from security weaknesses that are identified through\ntests and audits of security controls, as required by N IST SP 800-5 3. These tests and\naudits include independent reviews, such as those conducted by OIG, the Government\nAccountabil ity Office, and DS; penetration testing ; self-assessments; cont inuous\nmonitoring; and sec urity incidents. For systems req uiring C&A , security control\nweaknesses arise during testing and should be remediated either through the POA&M\nprocess or as an immediate action item. A POA&M action should be created when the\nweakness cannot be corrected immediately.\n\n        System owners record identified weaknesses in a POA&M tester database that is\nsubmitted to IRMIIA; integrated into IRM/1A\'s bureau-level database ; and finally,\nuploaded into the Department-wide POA&M database. From this database, IRM/ IA\ntracks, maintains, and reviews the POA&M information for each bureau Department\xc2\xad\nwide and generates reports for OMS submission. Weaknesses identified from OIG\nreviews are also electronically transferred into the Department-wide POA&M database\nvia a data extract of information from the OIG Compliance Analysis Tracking\nDatabase- a new effort initiated by the Department this year.\n\n         O IG reviewed POA&M infonnation for the 21 systems identified for the FISMA\nevaluat ion of a subset of systems, including the information contained within the\nDepartment-wide POA&M database. O IG also uti lized a questionnaire with system\nowners in nine bureaus to determine whether they used POA&M action items to\nprioritize and address weaknesses requiring remediation. O IG also met with and\ngathered supporting information from IRMIIA officials. Based on its review, 010\n\n\n\n                                                                                        9\n\x0cobserved that the Department\'s POA&M process is an agency-w ide process and that\nslightly over 95 percent of the 21 system s revi ewed incorporated all known IT security\nweaknesses. The system owners trac k POA&Ms to completion and use the information\nto plan and prioritize resources as needed to address systems security. Further, the\nDepartment CIO and CISO jointly rev iew POA&M inforrnation on a quarterly basis.\nAdditionally, IRMflA personnel review the POA&M bureau-level databases and contact\nsystem owners when corrective actions for POA&M items are overdue. IRM/IA\nmonitors the databases closely and provides assistance where needed to ensure that the\nPOA&Ms are addressed .\n\n         During FY 2008, the Department also implemented the pilot phase ofa Site Risk\nScoring process to measure IT security vulnerabilities and risks at each domestic and\noverseas site. According to IRMIIA officials during di scussions with and demonstrations\nfor OIG, the scoring process provides Informati on Management Officers, Information\nSystems Security Officers, and syste m owners with details of vulnerabilities present on\ndevices at the site and shows managers their relevant risk co mpared with the risk of the\nrest of the organ iza ti on. The scori ng process assigns a letter grade to respon sible\nbusiness units and helps identify and analyze the risks present at each site. While OIG\ndid not evaluate this process and cannot providc an assessment of its effectiveness at this\ntime, it received bricfings and discussed the process with IRMIIA officials to obtain an\nunderstanding of its merits. The Department plans to incorporate the site-ri sk grading\nresult into the current POA&M process so that it is addressed as a POA&M action item\nwhen improvements are needed to increase grading.\n\nImprovements Needed\n\n        OIG determined that the Department included the POA&M s in the bureau level\ndatabase and in the Department POA&M database, but that the system owners did not\nalways provide timely updates to IRM. To compare POA&M infonnation from the\ntesting phase to the Department-wide POA&M database, OIG obtained POA&M\ninformatio n via the electronic C&A packages in the OIG read-only folder created by\nIRM/IA for the subset of systems in its FISMA review. Although OIG reviewed the\nPOA&M process and relevant information, it did not substantively test them to ensure\nthat they contained all actions resulting from C&A testing of the NIST SP 800-53\ncontrols and that the actions were consistently prioritized. Howeve r, OIG observed that\nfor three systems, several exceptions that resulted from the C&A testing phase were not\nincluded as POA&M action items, but that the majority were excluded fo r valid reasons.\nOIG discussed the exceptions with IRM/ IA offic ia ls and was told that the items shou ld\nhave been incllJded in a follow-on POA&M for only one of the three systems because of\nNIST SP 800-53 specificatio ns in testing discretion. The other two systems had valid\nexceptions that resulted from testing, and , therefore, were not required to report POA&M\naction items. One system was a NSS and testing ofN IST SP 800-53 security controls\nwas not required, and the other system did not require testing of all controls because of\nthe NIST SP 800-53 discretion given to testers . For the system where POA&M action\nitems were necessary, IRM/ IA planned to enter the exceptions into the Department\nPOA&M database and form POA&M action items during the fourth quarter of FY 2008.\n\n\n\n                                                                                        10\n\x0c       Regarding the accuracy and comp leteness of existing informati on in the POA&M\ndatabases, OIG obse rved that the bureaus had not always provided all necessary\ninformation to IRM/ IA to update the bureau-level database and consequently, the\nDepartment POA&M database. Previously, IRM/ IA used SAFlRE l1 to maintain\nPOA&M data and bureau officials updated relevant informati on in the application.\nDuring the past year, IRMIIA offic ial s transferred the information from SAFIRE into the\nDepartment POA&M database . However, during the time ofO IG\'s review, the\nDepartment database did not contain current POA&M informat ion in all instances.\n\n        OIG observed that the Department-wide POA&M database did not always reflect\ncurrcnt information concerning points of contact, closed action items, and milestone\nchanges. IRM/IA orricials stated that they have asked bureau orric ials for this missing\ninformation, but that they have not always received it . Also, IRM/ IA officials stated that\nthey did not always receive updated POA&M information from the system owners. OIG\nverified this matter while reqllesting POA&M information from system owners. For\nexample, OIG noted occu rrences of POA&M status for a particu lar system shown as\n"open " in the Department-wide POA&M database when in fact the system owner had\nalready addressed and closed the item. DIG also observed that points of contact li sted in\nthe POA&M database were incorrect- another issue that IRM/ IA officials confirmed and\nneed to address with syste m owners.\n\n         Additiona lly, DIG determined that the POA&M database did not show an audit\ntrail of milestone date changes. Specifica lly, the POA&M action items did not contain\nmilestones, and showed only the cu rrent scheduled completion dates. Per OMS\nMemorandum M_04_25 ,12 agencies shou ld include milestones and date changes in the\nPOA&M process. IRM/ IA officia ls, however, indicated that the gu idance did not require\nthe milestone changes to be listed but only suggested that the agencies include sLich\ninformation. While this is a valid interpretation of the guidance, OIG believes that it\nwould be a good business practice for the Department to consider tracking the milestones\nfor implementing the POA&M action items and document any changes to the milestone\ndates to ensure an audit trail is available for the Department to identify whether POA&M\nactions are progressing effectively.\n\n       According Lo IRM/ IA, the CIO is contacting system owners via letters and\ntelephone calls to detail thcir respective POA&M status. The contact advises system\nowners that they will not be viewed favorably during the FISMA review if they do not\nprovide current information to IRM/ IA. OIG agrees with this approach and further\nencourages the Department to develop a mechanism for ensuring that the system owners\nprovide updated POA&M informat ion to IRM/ IA on a regular basis. The Department has\nmade progress with its overa ll POA&M process; however, these additional measures with\n\n\n\n11The Slate Automated F1SMA Environment Reporting tool was used by the Department to record the\ninventory ofappJications prior to using ITAB, the Information Technology Applications Baseline.\n1< Office   of Management and Budget Memorandum M-04-25 , Memorandumfor Heads ofErecll/ive\nDep(lrlmelll and Agellcies, August 23 , 1004.\n\n\n\n                                                                                                  II\n\x0csystem owners will further strengthen thi s process, including reporting cu rrent and\naccu rate information to Department management and OMB.\n\nRccommcndation 4: The Chief Information Officer should coordinate with system\nowners to develop a method to ensure that each system owner provides timely and\ncomplete updates to plans of action and milestones databases and relevant officials.\nincluding the Bureau o f Information Resources Management, Office of Information\nAssurance, on a regular basis.\n\nCertification and Accreditation\n\n         Thc Department ha s made signi ficant improvement this fiscal year in providing\nthe su pporting documentation that demonstrates its compliance with C&A of Federal\ninformation system s standard s under guidance found in OMB Circular A- I 3D, Appendix\nIII , Security oj Federal injormation Resources and NIST SP 800-37, Guide jar Ihe\nSecurity Cerlijicalion and Accredilalion oj Federal injormation Syslems. As such, OIG\nhas increased the overa ll rating in this disc ip line from "satisfactory" to "good."\n\n        In accordance with OMB and NIST guidance, agency management offic ial s are to\nprovide authorization to process informati on as a resu lt of the accreditation process.\nManagement \' s authorization shou ld be based on an assessment of management,\noperational, and technical controls evaluated during a detailed security review of an\ninformation system, referred to as security certification. The security certification and\naccreditati on process consists o f four distinct phases: initiati on, security certification,\nsecurity accreditation , and continuous monitoring .\n\n         As a part ofO [G \' s review, a subset o f21 systems was judgmentally selected and\nreviewed from the Department \'s third quarter FY 2008 in ventory li sting to assess the\nDepartment\'s C&A process. O IG conducted a risk assessment of the over 500 controls\nestablished in Appendix D o f NIST SP 800-53, Rev ision 1 13 to select a sampl e of 50\nspecific con trol s to use to evaluate and rate the Departmen t\'s C&A process. T he spec ifi c\ncontro ls cover a broad breadth of information-security risk areas such as the ex istence of\nC&A doc umentation, quality factors ofC&A documentation and related process, annual\nsystem testing, contingency plan testing, and contractor system oversight.\n\n         For each of the 21 syste ms evaluated, OIG reviewed the docum entat ion that\nidentified, certified, and accredited the security controls and found that 19 of the 21\nsubset sample systems had complete C&A documentation in accordance with N IST\nstandards. Based on its review, O IG concluded that the documentation for the sampled\nsystems demonstrated an overa ll good quality rating for the first three phases of the C&A\nprocess (i .e., initiation , secu rity certification, and security accreditation). Further, OIG\nidentified that anllual system testing was conducted as part of the continuous monitori ng\nphase for each o f the sampled systems. However, O IG identified several areas where the\ndocumentation for the qua lity of testing was mi ssing or not complete. The following\n\nIl   National Inst itutes of Standards and Technology Special Publication 800-53 Revision I, Recommended\nSecllrilY Comrols for Federal b iforllla/ioll SySleJ/ts. December 2006.\n\n\n                                                                                                       [2\n\x0csecti on discusses OIG\'s C&A results that correspond to OMB\'s FISMA tem plate\nquesti ons.\n\nC&A Quality\n\n        O IG rated the overall quality of the Department\'s C&A process as "good." To\nevaluate the quality of the C&A process, OIG reviewed systems documentation for the 21\nsubset systems to determ ine the existence of systems controls testing. The results of the\nOIG review determined tbat of the identifi ed key contro ls, the documentation for all but\none control, System Connect ion Agreements, was adequate. Specifically, OIG identified\nweak documentation, and no testing for half of the 21 systems for the System Connect ion\nAgreemen t control when it reviewed systems security plans and certification reports.\n\n        In accordance with N IST SP 800-53, the agency sho uld authorize all interfaces\nbetween information systems through the usc o f the system connection agreement control\n(CA~3) and monitor the system connect io ns on an ongoing basis. Some of the systems\ndocumentation indicated that the authors of the system sec urity plans expected\ninterconnections for external syste ms to be addressed by the systems security plan for the\nOpen Net (the Department\'s unclassified network); however, OIG did 110t find that this\noccu rred in documentation reviewed . Further, annual testing for the information syste ms\nconnection agreement control was not conducted for II of the 21 sampled systems. If\nsystem connection agreements are not documented and tested, management\'s knowledge\nabout data interface risks is limited, which coul d resu lt in unauthorized data changes or\nunauthorized data use. Development and periodic testing of the CA~3 system connection\nagreement control between Department system owners and external connection system\nowners would act as a compensating con trol for this weakness .\n\nRecommendation 5: The Chief Information Officer shou ld deve lop and test system\nconnection agreement con trol (NIST SP 800~53 control CA-3) between Department\nsystem owners and external connect ion system owners to serve as a compensating control\nfor systems security plan testing.\n\nC&A Testil1g\n\n        O IG\' s review of the Department \' s documentation for C&A security controls\ntesting demonstrates that annual testing has been comp leted for the 21 sampled systems.\nOIG selected a sample of36 of the NlST SP 800~53 contro ls. Based on NIST SP 800 ~ 53\nRev ision I, control CA~ 7 for Continuous Monitoring requires that those security controls\nthat are volatile or crit ical to protect ing the information system be assessed at least\nannually. The 36 controls tested were se lected as cri tical contro ls based on OIG\'s\nprofessional judgment regarding the intent of the N IST criteria. OIG found satisfactory\nresults recorded for 16 of the 36 controls. However, as shown in Table I, OIG did not\nfind documentation to support whether testing had been cond ucted for the remaining 20\nsampled controls during the annual testing. The scope ofOIG\'s assessment for the\nFISMA review did not include a review of system control failures or an in-depth review\n\n\n\n\n                                                                                        13\n\x0cof DS testing. Consequently, OIG cannot detcnn ine whether the control testing\nweaknesses have resulted in any inc idents or failures.\n\n                        Ta ble 1: Annu a l C&A Security Control Testin g Gaps\n     C& A Sec ur ity Controls With out Sunnortinl! T est Rcsults Documcntation\nAC-2 Account Management CA -3 System Connections             PS-6 Access Agreements\n                                                            PS-7 Third Party Personnel\nAC -3 Access Enforcement             IA-2 User ID\n                                                            Agreements (Contractors)\n                                                               SA-6 Software User\nAC-5 Separation of Duties     IA-4 Identi fi er Information\n                                                                    Restrictions\n                                  IA-5 Authenticator\n  AC-6 Least Privilege                                        SI-2 Flaw Remediation\n                                     Management\n                                 IA-7 Cryptographic              SI-IO Information\n   AC-1 3 Supervision\n                                    Au thentication          Accuracy, ComDleteness\n                                   MA-2 Controlled\n AU-2 Auditable Events                                         SI-II Error Handling\n                                     Maintenance\n AU-6 Audit Monitoring         PS-5 Personnel Transfers\nSource: NIST Special Publ icmioll 800-53 , Revision I.\n\nLegend \'\nAC - Access Controls                                          MA - Maintenance\nAU - Aud it and Accounmbilny                                  PS - Personnel S ~"(:unty\neA - Certification. Accreditation and Sec urity A%\\\'ssmen!S   SA - System and Services Agreement\n111 - Ide ntifi cat ion and Authentication                    SI - S stem and Information Inte rl\n\n\n\n\n         NIST SP 800-37 allows for an ann ual subset of controls to be tested within the\nthree year C&A auth orization cycle. However, critica l contro ls should be tested annually\nfor high- and moderate-risk systems in accordance with the N IST SP 800-53 Revi sion I\ncontrol standard for continuous monitoring (CA-7). The gaps in testing for the critical\ncontrols identified by the OIG appear to be the result of limited testing oversight. The\nteam noted that gaps in testing were present in most of the sampled syslcms, and\nappeared to be for critica l controls. IRM/ IA omcials told OIG that their determination of\ncritical controls to be tested is a system-based approac h, and that it has not developed a\nbaseline set of critical controls to be tested for all systems. However, OIG believes that\nthe risk for not testing critical controls is that correspond ing controls may fail, which\ncould result in unauthorized data changes or use. A centrally maintained record of the\ntesting cycle with results for all N IST SP 800-53 controls would improve monitoring.\n\nRecommen d.ltion 6 : The Chief Informat ion Officer shou ld review the security control\ntesting program to ensure that all critical control s are identified and tested at least\nannually for high and moderate risk systems.\n\n\n\n\n                                                                                                    14\n\x0cC&A Contingency Plllmi\n\n        To evaluate compliance with contingency plan 14 testing for the subset of systems\nreviewed , DIG considered documentary evidence using N IST SP 800-53 control\nobjective CPA (contingency plan testing and exercises) that included a review of\nmanagement letters to confinn that an annual contingency plan test had been conducted.\nIn addition, as a part ofO IG \' s review, co ntrol objective CP-5 (contingency plan update)\nwas also reviewed to determine whether the contingency plan was revised or updated 10\naddress problems encountered during plan implementation, execution , or testing. Lastly ,\nthe corresponding POA&M s for these systems were rev iewed fo r control objective CA-5\n(Plan of Action and Milestones) to determine whether test results were incorporated and\ncorrective actions were implemented.\n\n        NIST SP 800-34, Contingency Planning Guide/or In/ormation Technology\nSystems. recommends that test results and lessons learned be documented and reviewed .\nIn addition, informat ion collected during the test and post-test reviews that improve plan\neffectiveness should be incorporated into the contingency plan. Per N IST SP 800-53,\nPDA&M updates should be based on find ings from security control assess ments, security\nimpact analyses, and continuous monitoring activities that include contingency planning.\nFurther, the Department \' s policy on contingency p lans, contained in Chapter 5 oftbe\nFore ign Affairs Manual (F AM), sectio n 1064.2,1 requires that copies of the contingency\nplan and lest results be retained for review.\n\n        Based on the results of its evaluation, OIG found that the documentation for 18 of\nthe 21 subset samp led systems provided evidence that an nual contingency plan test ing\nand exercises (C P-4) were comp leted. However, DIG also found that only 5 of the 21\nsubset samp led syste ms had documentation to support that cont ingency plans had been\nupdated and/or that test results had been incorporated into POA&Ms in accordance with\ncontrol objective e p-5. IRMflA has begun implementing a new policy to require an\nattachmenllo the management letters that details test results and plan updates. The\nquality of contingency plans and testing should improve overall once IRM/IA \' s new\nattachment and associated quality review are fully implemented.\n\nRecommendation 7: The Chief Information Officer should update its policy on\ncontingency planning to require that contingency plan test results be incorporated into an\nupdated system contingency plan.\n\nRecommendation 8: The Chief Information Officer should provide guidance to system\nowners to ensure that contingency plan test results are adequately documented and\nincorporated, as needed, into the plans of action and milestone process.\n\n\n\n\nI~ The contingency plan is a coordinated strategy involving plans, procedures, and technical measures to \n\nenable the recovery of information systems after a disruption. \n\nIS 5 FAM 1064.2, COl1lillgelKY Planllillg and Cominl/if), of Operations, August 1, 2007. \n\n\n\n\n\n                                                                                                             15\n\x0cColtfmc/or Opemted or Used Systems\n\n        As a part orthe testing methodology conducted by OIG, responses From system\nowners and two security controls identified in NIST SP 800-53, Revision I, were used to\nevaluate the existence and adequacy of the Department\'s compliance with respect to\nperforming contractor oversight and eval uation . OMB \' s instructions for FISMA\ncompliancc reporting include identifying contractor systems used or operated by a\ncontractor on behalf of an agency or Department. To corroborate the Department\'s\ninventory of contractor systems, O IG adm inistered a questionnaire to system owners\nregarding the existence of such systems not prev iously reported for inventory purposes.\nTo evaluate oversight and evaluation of contractor systems, O IG reviewed the system\nsecurity plans (SSP) and other rclevant documentation pertain ing to testing conducted\nduring FY 2008 to determine whether the two N IST controls described below were\nincluded in testing plans and results for the 21 systems sampled. 010 considered both\ncontrols to be critical and subject to ann ual testing based on O IG\' s professional judgment\nregarding the intent of the N IST criteria. O IG considered both annual and C&A testing\nperformed during FY 2008 in its eva luation. Specifical ly, these evaluation factors were\nused:\n\n    \xe2\x80\xa2 \t CA-3 Information System Connections - Certification, Accreditation and Security\n        Assessment Control: This contro l requires that the organizat ion authorizes all\n        connections from the information system to other information system outside of\n        the accrcditation boundary through the use of system connection agreements and\n        that it monitor/control the system connections on an ongoing basis.\n   \xe2\x80\xa2 \t AC- 13 Superv ision <lnd Rev iew - Access Control: Th is control requi res the\n       organization to supervise and rev iew the activ ities or users with respect to the\n       enforcement and usage of informat ion system access controls.\n   \xe2\x80\xa2 \t DIG Questionnaire: System owners were asked, "D id your most recent\n       submission to the IRM ITAB incl ude all systems owned by contractors used to\n       support the business processes su pported by your sampled systcm(s)?"\n\n        DIG identified four orthe 2 I sampled systems that did not fully comply with\nthesc controls:\n\n   \xe2\x80\xa2 \t Global Financial Management System (GFMS) - The respondent to DIG\' s\n       questionnaire identified five unreported contractor-owned systems that interface\n       with the GFMS: Citibank, Carlson- Wagonl it ITS/GTS, American Express\n       ITS/OTS, US BanklPowerTrack, and Carlson-Wagon lit eTravel. However, in\n       evaluating for compliance with control CA-3 , DIG fo und that the SSP did not\n       include an Interconnection Security Agreements (ISA) or Memoranda of\n       Understanding/Agreement (MDU/ A) for system connections for these five\n       contractor systems and that there was no test ing for CA-3 controls on GFMS\n       performed during FY 2008. DIG reviewed documentation which supports that the\n       AC-13 control was tested and successfully passed.\n\n\n\n\n                                                                                            16\n\x0c     \xe2\x80\xa2 \t Passport Information Electronic Reco rds Syste m (P[ ERS) - The OIG\'s review\n         found that the SS P did not include Memoranda of Understanding (MOU) fo r\n         system connections with co ntract users, and that there was no testing of system\n         connection agreements pu rsuant to control CA -3; although the PI ERS system\n         owner ind icated that system control s were in place in response to OIG \'s\n         questi onnaire. In a separate review of PI ERS 16, OIG fo und weaknesses in\n         contractor access oversight controls as a result of a sec uri ty incident involving a\n         privacy breach caused by un authorized access to data by a contractor with access\n         to PIERS . O[G reviewed documentat ion wh ich supports that the AC-13 control\n         was tcsted and successfully passe d.\n     \xe2\x80\xa2 \t Student Training Management System (STMS) - D IG fo und that the AC-1 3\n         control was not tested during FY 2008, although the system owner\'s response to\n         the OIG\'s question naire indicated that contractor access control violations were\n         supervised. STMS is operated largely by contractors with access to PII through\n         an interface with the Department\'s Global Employee Management System\n         (GEMS). Because AC - 13 ha s not been tested, there is no corroborating evidence\n         that access control violations by contractors are supervised. Regarding contro l\n         CA -3, OIG found thal although the SS P did not include an IS A or MOU for\n         system connecti ons wit h GEMS, the control was success full y tested.\n     \xe2\x80\xa2 \t Bureau of Internat ional Narcotics and Law Enforcement Affairs enterprise\n         network (GINL) - DIG did not receive a response to its management\n         quest ionnaire for the G INL, desp ite repeated attempts to obta in it. Based on\n         documentation in the SSP, DIG found that a major contractor for the Department,\n         shares informat ion with O rNL. However, no ISA or MO U for th is\n         interconnection was referenced in the SS P and there was no test conducted for\n         control CA -3. Conseque ntly, contractor oversight may not be in effect for this\n         criti cal infonnation-sharing process. DIG reviewed documentation which supports\n         that the AC- 13 control was successfu lly tested.\n\n        As detailed above, D IG identi fied deficiencies for critical contractor oversight\ncontrols in these fo ur systems. Fede ral policy requires federal agencies to establish\ninterconnection agreemen ts. Specifically, OMB Circular A- 130, Append ix Ill , requ ires\nagenc ies to obtain written management authorization before connecting their IT systems\nto other systems, based on an acceptable level of risk. Further, NIST SP 800-4 7,17\nprovides guidance for planning, establ ishing, maintai ning, and terminating\ninterconnections between infonnation technology (IT) systems.\n\n       The Department could experien ce unknown exposu re of unauthorized changes or\nuse to Department data if these two critica l controls arc ineffective. Further, the\nDepartment may not have reasonable assurance that controls are implemented co rrectly,\nare operating as inte nded , and are producing the desired outcome with respect to meeting\n\n\n16 AUO/1P-08-29, Review o/Colltrols and Notifica/ion/or Access to Passport Record~ ill the Depar/I1I(:tI1 0/ \n\nS/(I/e\'s Passporf /II/orma/ioll ElectrOllic Records System (P/ER1:JJ, July 2008. \n\n17 NIST SP 800-47, Security Guide/or Interconnecting biformGliofl TechnologySy.\\\xc2\xb7tems, August 2002. \n\n\n\n\n\n                                                                                                         17\n\x0cthe security requirements of the Department. In addition, the Department may not be\nfully aware of the security control weaknesses impacting its systems, thereby leaving its\ninformation and systems vulnerable to attack or compromise. Therefore, OIG concluded\nthat 4 of the 21 sampled systems (GFMS, PIERS , STMS, and G INL) are not fully\ncompliant with OM B\'s contractor oversight requirements, result ing in a compliance rate\nof81% .\n\nRecomm e nda tion 9: The Chief Information Officer should develop and document a\nprocess for management and oversight o f contractor-owned and/or operated information\nsystems. This documented process shou ld include, at a minimum, the process for\nidentifying and describing the intcrconn eclivilY between contractor systems and the\nDepartment.\n\nRcco m mcnd ation 10: The Chief Information Officer should develop and ma intain\nInterconnection Security Agreements and Memoranda of Understanding! Agreements in\nSystem Security Accreditation files.\n\nPrivacy\n\n        Since last year\'s FISMA review, the Department has made progress in addressing\nits privacy responsibilities, and OIG has raised the overall rati ngs in this discipline from\n"satisfactory" to "good." The Assistant Secretary for Administration serves as the\nDepartment\'s Senior Agency Official for Privacy and is the delegated authority for\nprivacy oversight Department-wide. The Assistant Secretary administers this\nresponsibility through the Privacy Protection Governance Board (PPGB), which consists\nof the CIO and various bureaus, including Consular Affairs (CA) and DS. Further,\nadditional improveme nts regarding privacy impact assessments (PIA) and protecting PII\narc underway.\n\n        Privacy guidance and provisions for all federa l agencies is described in Section\n208 of the E-Government Act of 2002 18 and OMB Memorandum M-03 -22, Guidance jor\nImplementing the Privacy Provisions of/he E-Government Ac! of2002. Per the E\xc2\xad\nGovernment Act of2002, agencies are required to co nduct PI As for electronic\ninformation systems and collection, and make the assessments publicly available.\nFurther, the agency mllst post privacy policies on agency websites and translate privacy\npolicies into a standardized machine-readable format. OMB Memorandum M-03-22\nprovides additional guidance to the agencies and it directs them to conduct reviews of\nhow information about individuals is handled within the ir agency when they use\nelectronic means to collect new information, or whcn agencies develop or buy new\nsystems to handle collections of PIJ.\n\n        The Department posted privacy policies on Bureau o f Administration \'s Intranet\nprivacy/PII website, which describe all necessary federal and Department privacy\nregulations. The website includes the Dcpartment \'s " Privacy Impact Assessment Guide\n\n\nII   Pub. L. No. 107-347, 44 U.S.C. \xc2\xa7\xc2\xa7 3601 -06.\n\n\n                                                                                           18\n\x0cand Template" issued in J une 2008. The document contains guidance for writing PIAs\nand specific instructions to system owners for answcring questions contained on the\nupdated template . According to agency officials, the goa l for the Department is to have\nall privacy systems comply with gu idance as new assessmen ts are created and exist ing\nones arc updated. In addition, the Privacy Offi ce finalized the Department\'s Personally\nIdentifiable Information Breach Response Policy in May 2008. An official in tbe Privacy\nOffice also stated that Plltraining bas been deve loped and is available.\n\n        OIG reviewed the contents of a sampl e of ten PIAs from a universe of 61 systems\nthat the Department identified as requiring PIA s to assess compl iance with the\nDepartment\'s privacy procedures and policies in effect at the time of its review. Tbe\nteam evaluated the PIAs or summaries for these ten systems fo r compliance with the E\xc2\xad\nGovernment Act of2002 and OMB guidance. OIG determined that, overall, the\nDepartment had comp li ed with the provis ions of Section 208 of the E-Government Act\nwhile conducting PIAs except for three occurrences wh icb demonstrated that the\nDepartmen t did not provide information on choices avai lable to individuals regarding\nproviding personal infonnation . Department officia ls advised OIG that these PIAs were\nconducted prior to the implementation of the updated PIA template and that this\ninformation will be provided when the systems are recertified. Further, the Department\ndid not include any analysis for the ten systems to show what decisions were made by the\nagency regarding the system or co ll ect ions of in fo rmation as a result of PIAs.\nDepartment ortic ial s advised OIG that the updated PIA template requires th is type of\nanalysis. Add itiona lly, the Dcpartment\' s Privacy Program Office is taking a strategic\nthree year approach to migrate all of the existing PIAs to the updated template as the\nsystems undergo recertification.\n\n        In May 2008, the Department finalized the Persol1ai/y Idenlifiable Information\nBreach Response Policy that addresses the provisions of OMB Memorandum M-07- I6.\nAlso, the Privacy Protection Governance Board (P PBG) met on a regular basis in FY\n2007 and 2008. PPGB is responsible for addressing pOlential privacy issues impacti ng\nDepartment programs and initiati ves. The PPGB is chaired by the Assistant Secretary for\nAdministration as the designatcd Senior Agency Official for Privacy.\n\n        The Computer Incident Response Team (C IRT) coord inates with the\nDepartment\'s Privacy Office for tracking and report ing Pll breaches. In March 2008,\nCIRT notified the U.S. Community Emergency Response Team (US -CE RT) ofa PII\nbreach regarding passport informat ion belonging to se veral U.S . senators. The OIG\nconducted two audits 19 in FY 2008 of passport operat ions in CA that involved breaches\nof PIl information.\n\n\n\n\n19 DIG Report A UD/IP-08-19, Sqfegllarding Domestic Passport ApplicaliollS DUl"illg 7"\'allsil, March 2008,\n\nand AUDIIP-08-29, Review a/Can/rots and NOfijicalioll/or Access 10 Pa.upOI"l ReCOl\'d~ in the Depal\'lmen/\n0/State\xc2\xb7s l\'asspOI\'l lIifOl"1II0lioll ElectrOllic Records System (PIERS), July 2008.\n\n\n\n                                                                                                        19\n\x0c Configuration        M~magement\n\n\n       The Department has made some improvements si nce last year in implementin g\ncommon security con figurati ons. The Department has documented its agency-wide policy\nfor configuration management in guidance established by DS and IRMIIA. Based on the\ndocumentation provided, the con fi guratio n management policies are found in the\nCompute r Secu rity Configuration Guidance standard operating procedures, co nfi guration\nguidance, 5 Foreign Affa irs Handbook 11, and on the IT Change Control Board website.\nTbe Department\'s documentation details policies and procedures that, in part, cover\ncommon security confi guration management and change management co ntrols required\nby N IST SP 800-53. Improvements are needed to achieve implementati on of the Federal\nDesktop Core Configu ration security settings.\n\n        Bureaus within the Department provided con fi gurat ion management\ndocumentat ion for the system s selected by the 010, such as SSPs, cont in gency plans, and\ncertil1cation reports. The anal ysis of the documentation as of the third quarter of FY\n2008 revealed that contro ls are tested for polic ies and procedures, baseline configuration,\nconfigurat ion change control, and functiona lity. The documentation also indicated that\ncontrols related to change control monitoring, access restri ct ions, and configuration\nsettings were tested less frequently. Additionally, control number CM -8 Information\nSystem Component Inventory, iden tified from NIST SP 800-53, Revision l-detai ls how\nto determine whether the system owners maintain a component inventory-was tested by\nonly 3 orthe 21 subset systems incl uded in the 010 subset sampl e. IRM/ IA responded to\n0 10 by stati ng lhatthe control template distributed to system owners for configuration\nmanagement testing was based on N IST S P 800-53A, which did not include the\nInformation System Com ponent Inventory control. However, the configuration\nmanagement testing conducted should have been based on guidance found in NIST SP\n800-53 Rev ision I, dated December 2006 and effective December 2007 , which includes\ncontrol CM-8.\n\n         OIG also attempted to assess the extent to which the Department bas imp lemented\nthe configuration management po li cies. The Department utilizes iPost 20 to consol idate\nvulnerab il ity scanning data to determ ine sec urity confi guration compliance related to\nsecur ity comp liance, patch management, and the standard operating environment.\nHowever, the report ing information provided from iPost is for network activity by site\nlocation, not by application, as required by NI ST SP 800-5 3, Revision I. As a result, the\nOIG was unable to determine the extent to which the Department had imp lemented its\nconfiguration management contro ls.\n\n\n\n\n:!OiPost is a one-stop-shop for support personnel responsible for monitoring the lnfomlation Technology\ninfrastnJClUre.\n\n\n                                                                                                          20\n\x0cFederal      De~\'ktop     Core Configuration (FDCC)\n\n        OMB Memorandum M~07_ ll 21 rcqu ircs agcncics to adopt FDCC standards. The\npolicy requires agencies to adopt standard security configurations for desktops when\nusing Microsoft Windows XP and Vista operating systems. OS has deve loped a\nconfiguration guide that documents the comp liance requirements for FDCC configuration\nstandards for Windows XP operating systems. Although the Department established an\nFOCC implementation plan and began its rollout, not all workstations have been\nsuccessfully implemented with FOCC standards.\n\n         According to JRMIIA and OS officials, a FDCC review was performed on the\nmore than 70,000 Wi ndows XP and Vista desktops . IRM/ IA and OS assessed 7,500\ndesktops (10 percent sample of the total universe) to eva luate compliance for FDCe\nimplementation. Based on a presentation provided by IRM/ LA, approximately 80 percent\nof the controls had becn successfully implemen ted for the 7,500 desktops, and another 8\npercent were approved for deviations from compliance, for an overall compliance rate of\n88 percent. According to IRM/ IA, the co mpliance test for this sample of desktops was\nperformed one weck after implementation was conducted. IRM/ IA provided examples to\n0 10 o f why the reported success implementation percentage was not higher. This\nincluded machines not being rebooted, connicting gro up pol icies at the opcrationallevel,\nscan software not scanning accurately through the network, among others.\n\n        O IG acknowledges that the Department has made sign ificant progress in\ncomplying with FOCC requirements . However, the requ irement for FOCC compliance is\nthat implementation is made on all Windows XP and Vista desktops, and thi s has not yet\nbeen completed as evidenced from IRM/IA \'s testing results. IRMIIA and OS officials\nstated that implementation of FDCC sta ndards on all desk.\'1ops will be completed by July\n2009.\n\nE-A 1I1/tel1liclltio l1\n\n       The Department performed and completed an e-Authcnlication Risk Assessment\nReview (e~RAR) for 1,400 systems identified from the data ca ll and the FISMA\nreportable inventory. System owners completed the E-Authentication Risk Assess ment\n(e~RA) spreadsheets, which IRMIIA officials reviewed for accuracy. Based on the\nresponses provided to OIG , configurat ion fo r E ~ Aut h entication requirements were\nperformed adequately and in compl iance with N IST SP 800~63 requirements.\n\nIncident Reporting\n\n        The Departmen t\' s incident response program continues to opcrate effectively and\nis well coordinated. FISMA requires agencies to establish procedures for detecting,\nreporting, and responding to security incidents. NIST SP 800~6 1 provides guidance to\nagencies on establishing an effective incident response program. The guidance focuses\n\n21 Office   of Managcment and Budget Mcmorandum M\xc2\xb707\xc2\xb7 11 , impfemenlUfion ofCommollly Accepted\nSecurity CO lljigllration jor Windows Operating Systems. March 2007.\n\n\n                                                                                                 21\n\x0con four phases- preparation, detectio n and analysis, containment/eradication/recovery,\nand post-incident activity. Having an effective and we ll-coordinated incident response\nprogram helps the Department improve security, minimize loss and destruction, identify\nweaknesses, and ensure continui ty of operations.\n\n        The computer inc ident response team (C IRT) within DS is the center o f the\nDepartment \'s incident response program. CIRT\'s efforts to safeguard the Department \'s\nnetworks involve collaboration and sharing information with other program s offic ials\nwithin DS , including Cyber Threat Analysis Division (CTAD) and Virus Incident\nResponse Team (V IRT). In addition, CIRT officials coordinate with IRM \' s Firewall\nTeam and Enterprise Network Management Operations Center, systems managers ,\ninformat ion system security offi cers, regional computer securi ty officers, and the privacy\nteam. CIRT works cohesively with these entities to identify threats; monitor networks;\nidentify, anal yze, and report anomalies; implement corrective action; and id entify trends\nto improve the security posture for the Departmenl.\n\n          Key components of risk management are identifying trends for security incidents\nand determining effective ways to deal with them. The CIRT team generates several\nreports to keep Department officials aware of continu in g activity and the status of its\noperations. These reports include dai ly cyber security briefs and non-malicious events,\nCIRT monthly report, and adhoc reports as requested. Department officials advised OIG\nthat CIRT reports are used to assess and improve the security of the Department \' s\nsystems. For examp le, CIRT\' s da ily reports of non-malicious events are being used by\none official to identify trends that may requ ire reminders to informati on technology staff.\nAnother o fficial advised that intrusion detection measures have been added to the\norganization \' s network as a result of C IRT reports. A third official reviews CIRT reports\nfor announcements that may help improve the sec urity of the system . Lastl y, privacy\nofficial s stated that a breach incident log has been created to generate reports and\nincorporate lessons learned.\n\n         As of August 22, 2008, CIRT opened 2,672 event tickets and closed 2,675\nincidents and referred 294 incidents to US-CERT. The types of incidents reported\nincluded improper usage, malicious codes, unauthorized access, and privacy breaches,\namong others. CIRT implemented several new in itiatives in FY 2008 to improve it\nse rvices and provide more effective analyses and reports, including the following:\n\n   \xe2\x80\xa2 \t paying more attention to cyber events that are potentially maliciou s rather then\n       non-mali cious;\n   \xe2\x80\xa2 \t sensoring coverage on networks to capture more anomalies and viruses;\n   \xe2\x80\xa2 \t aggregating events idell tified from reports and logs from CIRT, CTAD and VIRT\n       to identify commonalities;\n   \xe2\x80\xa2 \t assess ing world events to increase network monitoring activity in affected \n\n       regions; \n\n   \xe2\x80\xa2 \t providing mandatory training for CIRT analystsj and\n\n\n\n                                                                                           22\n\x0c     \xe2\x80\xa2   reporting PI! breaches reported to the privacy team and to US-CERT.\n\n\n        C IRT assumed responsibi lity for tracking and reporti ng PI! breaches in January\n2008 . In March of2008, C IRT notified US-CERT ofa PI! breach regarding passport\ninformation pertaining to several U.S. senators . The OIG conducted two audits 22 in FY\n2008 (March and July, respectively) of passport operations in CA . The March 2008\nreport involved the safeguarding of PII in passports duri ng transit, and the July 2008\nreport involved PII breaches of passport information stored in the Passport Information\nElectron ic Records System (PIERS). As result of the O IG audits, CA has implemented\nseveral measures to improve its operat ions, including the fo ll owing: I) developi ng\ngu idance for incident detect ion and report ing for PIERS; 2) developing guideli nes for\nrcporting missing or loss passport applications; and 3) assembli ng a security working\ngroup that consists of staff from CA and other Department bureaus that provides\noversight for PI I through e nhanced monitoring of systems and databases, reporti ng and\nauditing activity, training, and disc iplinary actions in the event ofa breach in order to\nminimize PII breaches .\n\n         In addition, the Privacy Office issued the Department\'s Personally Identifiable\nInformation Breach Response Policy in May 2008. Further, offic ia ls continue to\npart icipate in CA worki ng groups on mitigation strategies. An official in the Privacy\nOffice also stated that PII training has also been developed and is provided to new c ivil\nserv ice employees who arc enrolled in FS I\'s Nell\' Civil Service Orienlalion and\nOrientation/or Civil Service Employees wilh Deparlmenr o/Slale Experience courses. In\naddition , PI! training is provided during weekly brie fin gs to information management\nofficers and student emp loyees participating in the Student Cooperative Employment\nProgram. Further, train ing on how to conduct pri vacy impact assessments is made\navailable specifica lly to bureaus and offices.\n\n       I-laving an effective and well coord inated inc ident response program he lps the\nDepartment improve security, minimize loss and destruction , identify weaknesses, and\nensure contin uity of operations.\n\nSecurity Awareness Training, Pecr-to-Peer File Sharing\n\n         The Department bas made positive progress in its security awareness efforts and\nhas "mostly" ensured that security aware ness training is accompl ished. Curre ntly, the\nDepartment provides two types of awareness train ing to its system users . This includes\nsecu rity awareness trai ning and role-based train ing . Security awareness tra ining is\noffered througb an online course developed and coordinated with OS, IA . and Foreign\nService Institute (FSI) representatives. Based on documentation OIG received fro m FS I,\nthe online training material (course number PS800) inc ludes information on user\nresponsibilities, computer risks, threats and vulnerabilities, and privacy issues. The\n\n\n22 DIG Report AUDflP-08-19, Safeguarding Domestic I\'as~po,.t Applications During Trallsit , March 2008,\nand AUD/IP-08 -29, Review ofControls and NOlijiC(lfiolljor Access to Passporl Records in/he Depar/menl\nofState \'s I\'(/s~port "!formatioll Electrollic Records System (PIERS), July 2008.\n\n\n                                                                                                    23\n\x0ctraining contcnt also incl udes pol icies on the use of co llaborative web technologies and\npeer-to-peer file sharing. Per 12 FAM 622.2, the responsibility of staff completing\nsecurity awareness training is placed on the Information Systems Security Officer,\nInformation Management Officer, or system admin istrator. Notices for annual training\nrequirement are sent via email notifications and Department-wide ann ouncements to\nsystem users. As of August I, 2008, more than 55,000 emp loyees had completed PS800\ncou rse for the fisca l year. Role-based training is another awareness training prov ided to\nselected indi vidual s, includin g executives, managers, system admini strators, Information\nSystems Security Officers, and law enforcement employees w ithin the Department. The\nrole-based training is an in structor-led course that can also be taken via distance learning.\nThe train ing incl udes suppl emental modu les focusing on the latest security issues.\nDocumentation received from the Diplomatic Security Training Center showed that morc\nthan 900 indiv idual s had enro lled in the role-based training courses as of August 12,\n2008.\n\n        The universe for those required to take secu rity awareness training is determ ined\nby system acco unts. The issue of multiple accounts fo r the same indi vidual is still a\nmatter that needs to be addressed by the Department. By having multiple accounts for\nthe same employee, duplication of training entries can occur, resulting in the Department\nnot having complete assurance of the tota l number of employees required to take traini ng\non an annual basis. OIG has an open recommendation from its FY 2006 FISMA report\naddress ing this matter. Per IRM/ IA offici als, the Department is planning to include\ntraining stat isti cs on iPost for each bu reau and overseas post. This wi ll place the burden\non the respective bureau or post Information Systems Security Officers to review and\neliminate duplicate entries to receive a better FI SMA evaluation result on training.\n\n         The Department began addressi ng the awareness train ing requ irement for non\xc2\xb7\nsystem employees (i .e. drivers, janitors, and gardeners) thi s fiscal year. In a\nJu ly 31, 2008, memorandum from the CI SO to OIG, the Department states it will provide\nawareness training to non-system employees by req uesting Regi onal Security Officers to\ngive aware ness training to new emp loyees at posts, as well as place posters aro und the\nembassy or consulate for di splay. The Department has taken positive steps in this\nrespect. However, performance metrics would help determine whether the process\nperformed by the Regional Secu rity Officers is working effectivel y.\n\nRecomm end at ion II : The Chief Information Officer should establish a process to\nmonitor and va lidate secu rity awareness train ing provided to those indi vid uals without\naccess to Dcpa rtment networks.\n\n\n\n\n                                                                                              24\n\x0cRECOMM ENDATIO NS\n\nRecommendation I: The Chief Information Officer shou ld reschedule annual inventory\ndata call activities to allow sufficient ti me to complete the analysis of pendi ng items prior\nto the ann ual FISMA review .\n\nRcco mmend~ltion 2 : The Ch ief lnfonnation Officer shou ld e nsure that system owners\narc provided with improved guidance fo r properly identify ing contractor-owned or\noperated systems and how to report them for systems inventory purposes.\n\nRecommendation 3 : The Chief In formation Officer shou ld ensure that national secu rity\nsystems are properly class ified and acco unted fo r by the Bureaus of Information\nResources Manageme nt and Dip lomatic Security in thei r respective Federal Information\nSecurity Management Act inventories.\n\nReco mmcnd ~ltion  4: The ChieF InFo rmation Officer shou ld coo rd inate w ith system\nowners to deve lop a method to ensure that each system owner prov ides timely a nd\ncomplete updates to plans of action and milestones databases and relevant officials,\nincluding the Bureau of Information Reso urces Management, Office of Information\nAssurance, on a regu lar basis.\n\nRecommendation 5: The Ch ief Information Officer sho uld develop and test system\nconnection agreement contro l (N IST SP 800-53 contro l CA-3) between Department\nsystem owners and external connection system owners to serve as a compensating control\nfor systems security plan testin g.\n\nRecommendation 6: Thc Chief Information Office r should rev iew the security control\ntesting program to ensure that a ll critica l controls are ident ified and tested at least\nannually fo r higb and moderate risk systems.\n\nRecommendation 7: The Chief Info rm ation Officer shou ld update its policy o n\ncontingency planning to requ ire that cont in gency plan test resu lts be incorporated into an\nupdated system co ntingency plan.\n\nRecommendation 8: The Chief Info rmation Officer sho uld provide gu idance to system\nowners to ensure that conti ngency plan test results are adequately documented and\nincorporated, as needed, into the plans of action and m ilestone process.\n\nRecommendation 9: Th e Chi ef Informat ion Officer shoul d deve lop and document a\nprocess fo r management and oversight of contractor-owned and/or operated information\nsystems . This documented process shou ld include, at a mini m um , the process fo r\nidentiFying and describing the interconnectiv ity between contractor systems and the\nDepartment.\n\n\n\n\n                                                                                            25\n\x0cRccommcndation 10: The Cb ier lnrormation Officer shou ld develop and maintain\nInterconnection Secu ri ty Agreements and Memoranda or Understanding/Agreements in\nSystem Security Accredi tation fi les.\n\nRccommcndation 11 : Th e Chier Informati on Officer shou ld establi sh a process to\nmonitor and va lidate security awareness training provided to those individuals without\naccess to Department networks .\n\n\n\n\n                                                                                          26\n\x0c             API\' EN"DIX A - DE PART MENT RESPO NSE \n\n\n\n\n                                                     Clfl\xc2\xa5fb\'formofloll OJJlur\n                                                     /,,/orm41ioll RaoUl\'\xc2\xab !tfrutax~\'"\n\n                                                     Wru/li"gtOff, D.C lOJltJ...4J11\n\n\n                                                     OCT - 2 " \'1\n\nUNCLASSIFIED\nM EM QRANDUM \n\n\nTO:         OIG - M",k W.   Du~      <\n\n\n\nFROM :      IRM - Susan H. swaJ # \n\n\nSUSJEC I": Review oflhc Information Security Program at the Department of\nSiale (AU D/IT\xc2\xb708-36)\n\n      In accordance with the Federal Information Security Management Act\n(FISMA), as the Chief Information Officer orThe Department OrSlalC, I am\nproviding Ibmlai comments to the OIG\'s official recommendations. My comments\narc aunched for inclusion as an appendix to the OIG\'s Annual Review of the\nInformation Security Program at the Depanmcm of Stale (AUOflT-OS-36.\nSeptember 2008).\n\nAuached as stated.\n\n\n\n\n                               UNCLASSIFIED\n\n\n\n\n                                                                                         27\n\x0cM a nagement Co mm ents :\n\n      The Depanment apprttiates both the opportunity 10 comment on Ihis rcpon,\nand also appreciates the eITon thatlhe OIG has expended in this year\'s FISMA\nreview. Under the leadership of Karen Bdl, the learn ofOIG direct hires and\ncontractors has conducted a subslamivc review which has identified signi ficant\nopportunities to improve the security of the Depanment\'s information.\n\n       Notwithstanding these positive resu lts, the Depan ment proposes that there is\na collective need to address two outstanding issues to improve the overall FISMA\nprocess (including the annual review).\n\n       Issue 1: Over the last several years, a different FISMA OIG team has\ntypically conducted the review each year. In each of those years, there have been\ndivergent ideas about the criteria that the Depanment must meet to satisfy the\nFISMA grading cri teria embodied in the Reponing Template for lOs, and related\nreporting guidance. Inadvertently, this creates a level of ambiguity that makes it\nhard (or impossihle) for the Department to know what to do 10 succeed.\n\n         D IG Ac tion Req uested for Issue I : As a result, the Depanmenl\nrespect fully requests 010 officials and Depanment security managers meet during\nthe fi rst quaner of FY09 to establish clear criteria for areas that have caused issues\nin the past because of their ambiguity. These criteria would be documented in a\nMOA between the OIG and the Depanment to guide subsequent FISMA reviews.\nThe overall goal of the MOA would be to: a) maintain the independence of the\nGIG and its staff, and b) provide the Depanment with a better understanding of\nhow it can best improve security while complying with the FISMA reponing\ncriteria.\n\n       Issue 2: Although the OIG recognized significant improvements in all other\nareas ofFISMA oversight for the past two years, the GIG has found issues related\nto annual testing (speci fically, Repon ing Template for IGs, Question 3a) which\nwas used tojustify reducing the Depanment\'s FISMA grade by one full letter\ngrade in each year. While the Department sincerely appreciates the efforts\nundertaken by the OIG\'s review of the agency-wide infonTl3tion security program,\n\n\n\n\n                                                                                          28\n\x0c                                          \xc2\xb72 . \n\n\nthe DIG\'s report notes that it did nOI have the resources to take a comprehensive\nlook all programs areas related to Question 3a. As a result, the Department is\nconcerned that other weaknesses related to Question 3a may exist that have nOI\nbeen identified.\n      OIG Action Requested for Issue 2: As a result ofl ssuc 2, the Department\nrequests thai the OIG conduct an independent and comprehensive review orlhe\nDepartment\'s efforts to fulfill the requirements related to Question 3a, and to make\nsuch recommendations as necessary 10 allow the Department to make changes to\nthe program, as needed, to make the program fully compliant. Moreover, the\nDepartment urgently requests that this be done early enough in fiscal year 2009 so\nthat implementation orlhe rccommendation(s) could begin in Q2. Ifthc O[G\ncannot, for some reason , meet the scope or time frame for this review, the\nDepartment proposes that Ihe OIG hire an independent reviewer to conduct this\nstudy under OIG supervision, consiSlent with the authorities provided by FISMA.\n\n       In its original draft report, the D [G made several suggestions for the\nDepartment to consider for improving its current activities in the areas ofinvenlory\nmanagement. contingency plans, and security awareness training that would be\nnecessary to address the OIG findings. The Department asked that these be\nexpressed as formal recommendations (and they were) to allow the Department to\nprovide a clear management response so that we would know how to properly\nrespond to these items, and so others in the Department would not miss these\nsignificant "suggestions".\n\n      Notwithstanding these concerns, the Department is pleased to note that the\nOIG recognized the Department for:\n\n\xe2\x80\xa2 \t "Significant effort" in "producing a reliable and accurate inventory under the\n    guidelines ofFISMA."\n\xe2\x80\xa2 \t A "focused effort" Ihal has "markedl y improved its POA&M process since last\n    year\'s FISMA review."\n\xe2\x80\xa2 \t "Significant improvement this fiscal year in providing the supporting\n    documentation that demonstrates its compliance" with C&A Standard,\n    justifying a "good" raling of the C&A program.\n\xe2\x80\xa2 \t Raising the o verall rating of the Privacy progfl!.m from "satisfactory" to "good."\n\n\n\n\n                                                                                          29\n\x0c                                         -J \xc2\xad\n\n\xe2\x80\xa2 \t Improvements in implementing common security configurations, including: a)\n    adopting (he FDCC standard configurations. b) incorporating required FDCC\n    acquisition language in new contracts, and c) achieving 88% compliance with\n    FDCC requirements by early September 2008.\n\xe2\x80\xa2 \t Compliance wilh requirements for e-Authentication Risk Assessments.\n\xe2\x80\xa2 \t Continuing an incident response program which is openued "effectively and is\n    well coordinated."\n\n      Having made "positive progress in its security awareneSs efforts," we now\ntum 10 the significant findings of this review and what steps will be taken to\naddress the specific opportunities for improvement identified by the DIG.\n\n      Recommendation 1: The Chieflnformlllioll Officer !)\'hollid reschedule\n      alillua/ inventory data call activities to allow sufficient time (0 complete the\n      analysis ofpending items prior to the Qllnual F1SMA review.\n\n      The Department notes that while implementing this recommendation will\nnot improve the overall high quality of the Department\'s inventory process, it will\nreduce ambiguity at the rime of the FISMA review. This is a valid and valuable\noutcome. Thus, the Depanment concurs with this reconunendation.\n\n       The Department also notes: a) the need to focus on identifying any missing\n"contractor systems\xc2\xb7\' and interconnections (see recommendations 2, 5, and 9), and\nb) conducting more than one full data call in any 12-month period would\nsignificantly erode field willingness to participate .\n\n     In the light of these considerations, the Department will address this\nrecommendation by taking the following actions:\n\n   \xe2\x80\xa2 \t The FY2009 inventory data call w ill provide increased focus on defining and\n       identifying "contractor systems\'\xc2\xb7 and "system connections" tha t may be\n       missing.\n   \xe2\x80\xa2 \t The FY2009 data call will be initiated in early FY2009.\n   \xe2\x80\xa2 \t Routi ne quarterly inventory data calls will remind bureau and post system\n       owners to report new systems, significant changes, etc.\n\n   For comprehensive reponing purposes, the Department\'s inventory process is\n   described below:\n\n\n\n\n                                                                                         30\n\x0c                                                    \xc2\xb74\xc2\xb7 \n\n\n     \xe2\x80\xa2 \t The inventory data call process is designed as a screening process to identify\n         assets which mov need 10 be in inventory. II is explicitly designed \\0\n         prcvCnI those responding nOI to be able to exclude systems that need \\0 be\n         reponed. The result of Ihis focus on avoiding missing systems is a higher\n         rate of false posilives. But, importantly, this first step helps significantly \\0\n         ensure that all Department systems that might need 10 be added to invenlory\n         are considered.\n     \xe2\x80\xa2 \t The second test is the analysis of pending items conducted by system owners\n         after the data call, carefully guided by IRMflA FISMA inventory experts.\n         TIllS is a rigorous documented process, implemented through careful\n         application of FISMA, OMB, a.nd NIST guidance. Conducting this level of\n         analysis before the data call on all "assc:ts" that might be systems would be\n         prohibitively expensive. Conducting it on the pending items after the data\n         call ensures that false positives are eliminated and that just the right set of\n         missing systems are added to inventory.\n      In summary, the Depanment is proud ofilS overall inventory process, and\nviews the step of identifying a large number of candidate systems for expen\nscreening to be one of the main strengths of the process, not a weakness. If the\nDepanmcn l changed the data call to identify fewer pending (candidate) systems for\nthe more rigorous second test stage, the overall confidence in the inventory\ncompleteness would likely be significantly compromised.\n\n         Recomm f!ndalion 2: The ChiefIIIformation Officer should ensure that\n         system owners are provided with impro~-ed guidancefor properly identifYing\n         contraclor--ownf!ti or operaled systems ulld how to reportlhem lor systems\n         inl\'lYllory pllrposes.\n\n         The Department concurs with this recommendation. The CIO will direet\nIRM/ IA to review existing laws and regula tions regarding criteria to identify which\nsystems are to be included in the Dcpanmcnt\'s inventory. Based on this review.\n1R..\\.1/1A will add appropriate guidance 10 the Depanmcnt\'s "Inventory Toolki t\'" to\nensure accurate and consistent guidance is provided to system owners in this\n\n, ThIs looldr. and OIMn   .",,,,.ood\n                                tt) In his docu~1. \xe2\x80\xa2\xe2\x80\xa2 ckIJ.",t\'" In Oepanmetlt Nod... JODt_O\'_ UI at\nlequired ptGUOufe1o 10 be Implemented 10 conducIlhe ~metln Certltlut;"n lnod ACcrltdliltlotl pt(llrOln\'l\nMcordlrla to Of:PII1mef\'1I pOlIcy.\n\n\n\n\n                                                                                                           31\n\x0c                                                   -5\xc2\xad\n\nregard. This improvement will provide significantly increased assurance that all\nDepartment systc:ms1 (and only the Department\'s systems) are included in the:\nDepartment inventory.\n\n        Recommendation 3: The Chief Information Officer should ensure that\n        natiOllal security systems are properly classified and accountedfor by the\n        Burea/u ofIn/omlolio" Resources Monogemem and Diplomatic Security in\n        their respective Federal/nformation Security Management Act inventories.\n\n       The Department concurs with this recommendation. The CIO directs\nIRM / IA to modify the Department \'s " Inventory Toolkit" \\0 clarify which systems\nare inventoried by IRMIIA and which are invt:ntoried by DS/SIIIS in support oflhe\nIntelligence Community C hief Infont\'l3lion Officer\'s FISMA reporting. This\nimprovement will ensure that system owners will be able 10 easily verify the\ncOlTect venue in which to report each system.\n\n        Recommendation 4: 17le Chie/ln/ormation Officer should coordinate wi/II\n        system owners 10 develop a method 10 ensure thaI each system owner\n        provides limely and complete updates /0 plans ofactioll and milestones\n        do/abases alld relevan/ officials, including Ihe Bureau ofIllformat/on\n        Resources Managemenl/ Office ofInforow/ioll Assurance, on a regular basis.\n\n      The Department concurs with this recommcndation. The CIO will send\nformal quarterly grade letters fro m the CIO to bureau executives on the qual ity of\nbureau plan of action and milestones (POA&M) process implementation. This will\ncover: 3) timely and complete identification of weaknesses, b) development of\nremediation plans, c) implementation ofreme<iiation, and d) management of\nweaknesses (including timely and completc quarterly updatcs of status). These\nimprovements will help ensure that system owners: a) define actionable tasks to\naddress weaknesses, b) define appropriate priori ty to each action, and c) allocate\nappropriate resources to complete those tasks and documentthcm in the POA&M\nsystem.\n\n\n\n\'Ccnslslenl with FISMA lOIId OMB luthorit)es, 1M lerm ~ttml!nt ~!em," uwd t.tre to refer not ju.\\ \\g\n....., _ ~ and ~lH bvlhot ~tt ......, (al<a\xc2\xb7~ .....,em.... L bulll\\.O \'MKe ~Ilfod 0tI bHI.11 olm.\nDepirt~t byothets I~ tMy m~~, iU "tonlJ iKtOf sYl>trms\'"). This Ie<m, U usl\'d i\'lrfe, doe1 ",,\'lndude\n~Irms..mldl Irr not III>def the uJtimllecontrol..,d Iftl)On~ity of l/Ie Orpiflment, per OMB flSMA luidancr.\n\n\n\n\n                                                                                                              32\n\x0c                                        -6\xc2\xad\n\n      Recommendation 5: The ChiefInformation Officer should develop and test\n      system conneclion agreemem control (N/ST SP 800-53 control CA-J)\n      between Department system owners and external connection system owners\n      10 sen.\'f! as a compensating conlrolfor systems security plan testing.\n\n       The Department concurs with this recommendation. The CIO will also add\ninfonnatiOIl to the C&A Toolkit clearly articulating FISMA--compliant policy on:\na) identifying, b) assessing the risk of, and c) obtaining connection agreements for\nsuch connections. Next. the CIO will modify the FY2OQ9 inventory data call (see\nrecommendation 8) to include a focus on system connections. With respect 10 the\ninterconnections, this will include: a) reviewing the completeness and content of\nsystem connections identified in each existing System Security Plan (SSP). b)\naccurately assessing the risk lhose connections pose to other Departmcnt systcms,\nand c) verifying (at least annually) that all active conncctions to/from ex isting\nmajor information systems are complctely listed in the systems \' SSPs. With\nrcgard to the external systems on the other end of each conncction, this data call\nwill include: a) verifying whether the connected systcms are Depanmem systems\n(see recommendation 2), and b) adding any interconnected Oepanmcnl systems \\0\ninventory. as needed. These improvements will help ensure that the Depanment\nfully complies with both NIST SP 800-53 controls, CA-3 and NIST SP 800-47.\n\n       The Depanment notes that the definition of what constitutes a system\nconncctionlinlerconneclion is unclear in existing Federal guidance. To address\nthis, IRMIlA will develop guidance in its Inventory and C&A Toolkits to clarify\nwhat constitutes an interconnection. This improvement will both help ensure not\nonly that system owners actively address all actual connections, but also that\nsystems owners do nOI wasle time being confused about what consti tutes such a\nconnection.\n\n      Recomm endation 6: The Chief Information Officer should re"h.\'lll the\n      security conlrol testing program to ensure tltat all critical controls are\n      identified and tested at least anllually for high alld moderate risk systems.\n\n      The Depanment concurs with this recommendation, and nOtes thai the OIG\'s\nfinding that all critical controls are \\0 ~ tested at least annually for high and\n\n\n\n\n                                                                                       33\n\x0c                                          - 7\xc2\xad\n\nmoderate risk systems is one of the most significam results from this year\'s report,\nand will have positive impact on security when implemented.\n\n      The Department notes thai in spite of the identified weakness in the policy\nprogram related to annual testing, several systems owners (notably the Bureau of\nConsular Affairs) were conducting annual testing of controls the OIG determined\n\\0 be critical . This demonstrates the thoughtfulness and good faith of Department\nsystem owners.\n        The Department also notes that its Si te Risk Scoring program provides\ncontinuous monitoring. morc freq uently than annually, ofa wide range or controls\ncritical to its networks and the applications that operate thereon. This helps\ndemonstrate the good faith of the CIO, elSa, os and other program officials\nresponsible for infonnation assurance al the Department.\n\n       The Department notes that during the FY08 FISMA review the 0 10 learn\nused their professional judgment to identify a particular set of"critical controls"\n(as specified by N IST SP 800-53, CORlrol CA-3) onfv fo r Ihe purpose of their\nreview this year (since the Department had nOI done this). However, it is the\nDepartment who has the authority and responsibility to determine which controls it\nwill consider to be critical and volatile using a risk-based analysis, as long as it\nimplements a reasonable process to defi ne such comrols in compliance with the\nguidance from NIST. The controls idemified by the Department need not\nnecessarily match those that the DIG identified this year, and may vary among\nmajor informmion systems based on the risks identified.\n\n       To address this recommendation, the J)cpartment will develop its Ann ual\nControl Assessment Toolki t to provide clear criteria and a process fo r system\nowners to Identify which controls arc cri tical and/or volatile for each particular\nsystem. Next, the toolkit will be modified to provide explicit policy that critical\nand volatile controls are to be tes ted annually. Finally, the Department will\norganize workshops to introduce th is change to system O....\'flcrs. These\nimprovements will ensure that system owners use a valid and reliable process to\nidentify critical and volati le controls, and thatlhese are tested al leas! annually.\n\n\n\n\n                                                                                        34\n\x0c                                        \xc2\xb78 .\n\n      Recommelldation 7: The ChiefIn/ormation Officer should update its\n      policy on contingency planning /0 require that contingency plan rcst results\n      be incorporated into all updated system contingency plan.\n\n      The Depanment concurs with this recommendation. To help ensure\nimplementation of this process, the elO will issue clear directions to system\nowners requiring this action, by adding this guidance to its Contingency Plan Test\nToolkit. IRMIIA will also add this requiremenllo its contingency plan test\ncompletion checklist process 10 provide oversight.\n\n      Recommendation 8: The Chief Information Officer should prOVide\n      guidance 10 s),slem owners 10 e/lsure that contingency plan lest results are\n      adequately documented alld incorporated, as needed, info the plal/s of\n      action and milestone process.\n\n       The Department concurs with this recommendation, and agrees with the\nOIG \'s find ing that implementation of an improved process to document\ncontingency plan test results will largely resolve this recommendation. To help\nensure implementation of this process, the CIO will issue guidance to system\nowners stressing the importance of this improvement and requiring implementation\nof this process. 111e Department will also develop its Contingency Plan Test\nToolkit to provide cle:lr directions to system owners on this process.\n\n      Recommendation 9: The Chie/lnformation Officer should develop and\n      document a process for managemem alld oversight ofCOlltractor-owned\n      andlor operated ill/ormation systems. This doculII\xe2\x82\xaclIted process should\n      inelude, at a lI1inimllll1. the process for idemifyillg and describing the\n      interconnectivi!y befween contractor systems and the Departmenl.\n\n       The Department concurs with this recommendation. The Depanment\nbelieves that the actions proposed to address recommendations 1,2, and 5 will also\nadequatdy address this recommendation. These improvements will help ensure: a)\nthat a reliable and valid process is used to detennine which contractor owned\nand/or operated systems are Department systems (see ret:ommendations I and 2),\nb) that all interconnections are documented and tested before being placed in\noperation (see recommendation 2), and c) that such interconnections are tested at\nthe required frequency thereafter (see recommendation 5).\n\n\n\n\n                                                                                     35\n\x0c                                       - 9\xc2\xad\n\n      Recomm endation 10: The ChiefInformation Officer should develop and\n      maintain Interconnection Security Agreements and Memoranda of\n      Understanding/Agreements il/ System Security Accredilalion flies.\n\n      The Department concurs with this recommendation. The C IO directs\nIRMIJA to: a) modify the Departmen t\'s C&A Toolkit to ensure that the system\nowners understand the need to document interconnections, and b) validate the\nIRM/IA C&A completion cht.-cklists verify thai all such agreements that may be\nrequired are on file in IRMIIA.\n\n      Recommendation 1 J: The ChiefInformation Officer should establish a\n      process 10 monitor Ihe exlentla which securit), awareness training has been\n      provided to those individuals without access 10 Depor/men/networks.\n\n      The Department concurs with Ihis recommendation. Thc C ISO will selcct a\nsimplc random sample of facilities where such employees are employed. Bureau\nEX/DIRs and/or post DeMs for these facilities shall be asked to assign stafTto\nrevicw and objectively repon whether the designed materi;]]s were provided to\nstalTmembers al each si te.\n\n\n\n\n                                                                                    36\n\x0cFR<\\.UD. WASTE, ABUSE OR MISMANAGEMENT\n               of Federal programs\n          and resources huns everyone.\n\n      Call the Office of Inspector General \n\n                   HOTLINE \n\n                  202/647-3320\n               or 1-800-409-9926 \n\n         or e-mail oighotline@state.gov \n\n      to repon illegal or wasteful activities. \n\n\n              You may also write to \n\n           Office of Inspector General \n\n            U.S. Department of State \n\n              Post Office Box 9778 \n\n              Arlington. VA 22219 \n\n     Please visit our website at oig.state.goY\n\n        Cables to the Inspector General\n       should be slugged "OJG Channel"\n           to ensure confidentiality.\n\x0c'